Socket-based Ghidra plugin that exposes a Model Context Protocol (MCP) server for AI-assisted binary analysis.
https://github.com/13bm/GhidraMCPStop context-switching between Ghidra's interface and your analysis notes. GhidraMCP bridges your favorite reverse engineering tool with AI assistants, letting you ask questions about binaries in plain English and get instant, actionable insights.
You're already spending hours in Ghidra analyzing binaries. You know the drill - open the decompiler, trace through function calls, identify crypto implementations, hunt for vulnerabilities. But what if you could ask "What encryption algorithms are used in this binary?" and get an immediate answer with specific addresses and code snippets?
GhidraMCP implements the Model Context Protocol to connect Ghidra directly with AI assistants like Claude. Instead of manually piecing together analysis patterns, you get AI-powered insights that understand your binary's structure, behavior, and potential security issues.
Natural Language Binary Analysis: Ask complex questions and get structured answers with specific addresses and code references. No more manual correlation between different Ghidra views.
Automated Security Pattern Detection: Built-in functions identify crypto implementations, obfuscated strings, user input sources, and API call sequences. The AI contextualizes these findings within your specific binary.
Intelligent Function Naming: Instead of manually renaming functions based on analysis, describe what they do and let the AI suggest appropriate names with context.
Call Graph Generation: Generate hierarchical call graphs with AI commentary on execution flow and potential attack paths.
Malware Analysis: "Show me all suspicious API calls and explain their purpose in the context of this malware sample." Get categorized API sequences with security implications.
Vulnerability Research: "Are there any potential buffer overflow vulnerabilities in this code?" The AI analyzes user input sources, buffer operations, and bounds checking.
Crypto Analysis: "Identify all cryptographic implementations and explain their security properties." Get detailed analysis of both standard and custom crypto code.
Reverse Engineering: "Explain the authentication mechanism in this program" with detailed walkthrough of the auth flow and potential bypasses.
The plugin provides 12 specialized analysis tools through MCP:
GhidraMCP runs as a socket server (default port 8765) that starts automatically with your Ghidra project. The Python bridge script handles MCP communication, so you can:
No workflow disruption - it enhances your existing Ghidra analysis rather than replacing it.
Prerequisites: Ghidra 11.2.1+, Java 17+, Python 3.8+
# Install the bridge
pip install FastMCP
# Configure your AI client (Claude example)
{
"mcpServers": {
"ghidra": {
"command": "python",
"args": ["path/to/ghidra_server.py"]
}
}
}
Install the plugin through Ghidra's extension manager, enable it, and start analyzing with AI assistance.
The specialized security functions give you immediate insights that typically require manual analysis:
These tools don't just find patterns - they provide context about why they matter for your analysis.
If you're doing binary analysis, this plugin turns your AI assistant into a knowledgeable reverse engineering partner. Instead of manually correlating Ghidra's output, you get intelligent analysis that understands both the technical details and the security implications.
The 55 GitHub stars and active development show this isn't just a proof of concept - it's a working tool that's already improving real analysis workflows.